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Docket No. 002.0 1 60 .US XJTL 

Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 



1 1 . (currently amended): A system for identifying a macro virus 

2 family using a macro virus definitions database, comprising: 

3 a macro virus definitions database comprising a set of indices and macro 

4 virus definition data files with each index referencing one or more of the macro 

5 virus definition data files and each macro virus definition data file defining macro 

6 vims attributes for known macro viruse s jjiat are each comprised of at least one 

7 macro , the sets of the indices and the macro virus definition data files being 

8 organized into a hierarchy according to macro virus families in each r e spectiv e 

9 iTidGic and macro virus definition data file s e t based on a type of application to 

10 which the macro applies; 

11 a parser parsing a suspect file into tokens comprising one of individual 

12 string constants and source code text and storing the tokens as suspect strings into 

13 a hierarchical parse tree: 

14 a macro virus checker traversing the hierarchical parse tree to retrieve 

15 each suspect string and comparing [[a]] the suspect string to the macro virus 

16 attributes defined in the one or more macro virus definition data files for each 

17 macro virus family in the macro virus definitions database and determining each 

18 macro virus family to which the suspect string belongs from the index for each 

19 macro virus definition data file at least partially containing the suspect string. 

1 2. (original): A system according to Claim 1, further comprising: 

2 the macro virus definition data files being indexed into the macro vims 

3 families categorized by a replication method employed. 
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1 3. (currently amended): A system according to Claim 1 , wherein the 

2 suspect string comprises part of [[a]] the suspect file comprising a plurality of 

3 individual suspect strings. 

1 4. (currently amended): A system according to Claim 3, further 

2 comprising: 

3 the macro virus checker identifying a replication method substantial l y 

4 common to a plurality of the individual suspect strings in the suspect file. 

1 5. (original); A system according to Claim 4, further comprising: 

2 the macro virus checker identifying the macro virus family by which the 

3 common replication method is indexed, 

1 6. (original): A system according to Claim 1, further comprising: 

2 the macro virus definitions database storing string constants common to 

3 each macro vims family in the macro virus attributes for the macro vims 

4 definition data files; and 

5 the macro virus checker comparing the suspect string to the string 

6 constants in the one or more macro virus definition data flies for each macro vims 

7 family. 

1 7, (original): A system according to Claim 6, further comprising: 

2 a parameter specifying a threshold to matches of commonly shared string 

3 constants. 

1 8. (original): A system according to Claim 6, further comprising: 

2 a parameter specifying a minimum length of commonly shared string 

3 constants. 

1 9. (original): A system according to Claim 1, further comprising: 

2 the macro virus definitions database storing source code text common to 

3 each macro virus family in the macro vims attributes for the macro virus 

4 definition data files; and 
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5 the macro virus checker comparing the suspect string to the source code 

6 text in the one or more macro virus definition data files for each macro virus 

7 family. 

1 10. (original): A system according to Claim 9, further comprising: 

2 a parameter specifying a threshold to matches of commonly shared source 

3 code text. 

1 U. (original): A system according to Claim 9, further comprising: 

2 a set of keywords used in the stored source code text to identify each 

3 replication method employed. 

1 12. (original): A system according to Claim 1, further comprising: 

2 the macro virus checker resetting the index referencing one or more of the 

3 macro virus definition data files for at least one macro virus family and creating a 

4 new macro virus definition data file entry comprising an index referencing one or 

5 more macro virus definition files. 

1 13. (original): A system according to Claim 12, further comprising: 

2 the new macro virus definition data file entry defining the macro virus 

3 attributes by storing at least one of a string constant and source code text. 

1 14. (original): A system according to Claim 1, further comprising: 

2 the macro virus checker parsing macro virus attributes from one or more 

3 file objects and analyzing the macro virus definition data files by index for each 

4 macro virus family. 

1 15. (original): A system according to Claim 14, further comprising; 

2 the macro virus checker cross referencing at least one of a string constant 

3 and source code text from the parsed macro file attributes against the macro virus 

4 attributes defined in the virus definition data files. 

1 1,6. (original): A system according to Claim 1, further comprising: 
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2 the macro virus checker iteratively retrieving each macro virus definition 

3 data file using the index for each macro vims family and providing the macro 

4 ^ virus attributes defined in the retrieved macro virus definition data file, 

1 17. (currently amended): A method for identifying a macro virus 

2 family using a macro virus definitions database, comprising: 

3 maintaining a macro virus definitions database comprising a set of indices 

4 and macro virus definition data files with each index referencing one or more of 

5 the macro virus definition data files and each macro virus definition data file 

6 defining macro virus attributes for known macro viruse s that are each comprised 

7 of at least one macro : 

8 organizing the sets of the indices and the macro virus definition data files 

9 into a hierarchy according to macro virus families in e ach r e spectiv e - ind e x - a^d 

10 macro virua definition data file act based on a type of application to which the 

11 macro applies : 

12 parsing a suspect file into tokens comprising one of individual string 
1.3 constants and source code text and storing the tokens as suspect strings into a 

14 hierarchical parse tree; 

15 traversing the hierarchical parse tree to retrieve each suspect string and 

16 comparing [[a]] the suspect string to the macro virus attributes defined in the one 

17 or more macro virus definition data files for each macro virus family in the macro 

18 virus definitions database; and 

19 determining each macro virus family to which the suspect string belongs 

20 from the index for each macro virus definition data file at least partially 

21 containing the suspect string, 

1 18. (original): A method according to Claim 17, further comprising: 

2 indexing the macro virus definition data files into the macro virus families 

3 categorized by a replication method employed. 

1 19. (currently amended): A method according to Claim 17, further 

2 comprising: 

OA Response - 7 - 

PAGE 9120 * RCVD AT 12/10/2004 7:25:04 PM [Eastern Standard Time] * SVR:USPT0-EFXRF-1/2 * DNIS:8729306 " CSID:2063813999 1 DURATION (mm-ss):0542 



12/10/2004 16:23 . 2053813999 



PATRICK JS INOUYE PS 



PAGE 19 



Response to First Office Action 
Docket No. 002.0160.US-UTL 

3 providing the suspect string as part of [[a]] the suspect file comprising a 

4 plurali ty of indi vidual suspect strings. 

1 20. (currently amended): A method according to Claim 19, further 

2 comprising: 

3 identifying a replication method aubatafrt - fe By common to a plurality of the 

4 individual suspect strings in the suspect file. 

1 21. (original): A method according to Claim 20, further comprising: 

2 identifying the macro virus family by which the common replication 

3 method is indexed. 

1 22. (original): A method according to Claim 17, further comprising: 

2 storing string constants common to each macro virus family in the macro 

3 virus attributes for the macro virus definition data files; and 

4 comparing the suspect string to the string constants in the one or more 

5 macro virus definition data files for each macro virus family. 

1 23. (original): A method according to Claim 22, further comprising: 

2 applying a threshold to matches of commonly shared string constants. 

1 24. (original): A method according to Claim 22, further comprising: 

2 designating a minimum length of commonly shared string constants. 

1 25. (original): A method according to Claim 17, further comprising: 

2 storing source code text common to each macro virus family in the macro 

3 virus attributes for the macro virus definition data files; and 

4 comparing the suspect string to the source code text in the one or more 

5 macro virus definition data files for each macro virus family. 

1 26. (original): A method according to Claim 25, further comprising: 

2 applying a threshold to matches of commonly shared source code text 

1 27. (original): A method according to Claim 25, further comprising: 
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2 defining a set of kcywonis used in the stored source code text identifying 

3 each replication method employed. 

1 28. (original): A method according to Claim 17, further comprising: 

2 resetting the index referencing one or more of the macro virus definition 

3 data files for at least one macro virus family; and 

4 creating a new macro virus definition data file entry comprising an index 

5 referencing one or more macro virus definition files. 

1 29. (original): A method according to Claim 28, further comprising: 

2 defining the macro virus attributes for the new macro virus definition data 

3 file entry by storing at least one of a string constant and source code text, 

1 30. (original): A method according to Claim 17, further comprising: 

2 parsing macro virus attributes from one or more file objects; and 

3 analyzing the macro virus definition data files by index for each macro 

4 virus family- 

1 31. (original): A method according to Claim 30, further comprising: 

2 cross referencing at least one of a string constant and source code text 

3 from the parsed macro file attributes against the macro virus attributes defined in 

4 the virus definition data files. 

.1 32. (original): A method according to Claim 1.7, further comprising: 

2 itcratively retrieving each macro virus definition data file using the index 

3 for each macro virus family; and 

4 providing the macro virus attributes defined in the retrieved macro virus 

5 definition data file. 

1 33. (original): A computer-readable storage medium holding code for 

2 performing the method according to Claims 17, 18, 19, 22, 25, 28, 30, or 32. 

1 34. (currently amended); A system for identifying a macro virus 

2 family using a macro virus definitions database, comprising: 
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3 a macro virus definitions database comprising a set of indices and 

4 associated macro virus definition data files, further comprising; 

5 one or more of the macro virus definition data files referenced by 

6 the associated index with each macro virus definition data file defining macro 

7 virus attributes for known macro viruses that are each comprisedj) f at least one 

8 macro ; 

9 a hierarchy organized according to a macro family to which each 

10 of the sets of the indices and the macro virus definition data files belong based on 

11 a type of application to which the macro applies ; 

12 a parser parsing a suspect file into tokens comprising one of individual 

13 string constants and source code text and storing the tokens as strings intp_a 

14 hierarchical parse tree; 

1 5 a macro virus checker traversing the hierarchic al parse tree to retrieve the 

16 strings and comparing one or more strings stored in a suspect file to the macro 

17 virus attributes defined in the one or more macro virus definition data files for 

18 each macro virus family in the macro virus definitions database and determining 

19 the macro virus family to which the suspect file belongs from the indices for each 

20 of the macro virus definition data files at least partially containing the suspect file. 

1 35, (currently amended): A system according to Claim 34, further 

2 comprising: 

3 each macro virus family defined according to a replication method 

4 substantially common to each of the macro virus definition data files associated 

5 with one such index. 

1 36. (original); A system, according to Claim 34, further comprising: 

2 the macro virus definitions database storing at least one of string constants 

3 and source code text common to each macro virus family in the macro virus 

4 attributes for the macro virus definition data files; and 
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5 the macro virus checker comparing the suspect string to the at least one of 

6 the string constants and the source code text in the one or more macro virus 

7 definition data files for each macro vims family. 

1 37. (original): A system according to Claim 36, further comprising: 

2 the macro virus checker applying a threshold to matches of at least one of 

3 commonly shared string constants and commonly shared source code text. 

1 38. (original): A system according to Claim 36, further comprising: 

2 the macro virus checker designating a minimum length of commonly 

3 shared string constants, 

1 39, (currently amended): A method for identifying a macro virus 

2 family using a macro virus definitions database, comprising: 

3 maintaining a macro virus definitions database comprising a set of indices 

4 and associated macro virus definition data files, further comprising: 

5 referencing one or more of the macro virus definition data files by 

6 the associated index with each macro virus definition data file defining macro 

7 virus attributes for known macro viruses that are each comprised of at_Ieas_t_one 

8 macro : 

9 organizing the sets of the indices and the macro virus definition 

10 data files into a hierarchy according to macro virus families based_on ,a_typ,e_of 

11 a pplication to which the macro applies : 

12 parsing a suspect file into tokens_c_omprising one of individual string 

13 constants and source code text and storingjhe tokens as strings into a hierarchical 

14 parse tree: 

15 traversing the hierarchic al parse tree to retrieve the strings and comparing 

16 one or more the strings stored in a a uopoct file to the macro virus attributes 

17 defined in the one or more macro virus definition data files for each macro virus 

18 family in the macro virus definitions database; 
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19 determining the macro virus family to which the suspect file belongs from 

20 the indices for each of the macro virus definition data files at least partially 

21 containing the suspect file. 

1 40. (currently amended): A method according to Claim 39, further 

2 comprising: 

3 defining each macro virus family according to a replication method 

4 sub st anti a^ common to each of the macro vims definition data files associated 

5 with one such index. 

6 41 . (original): A method according to Claim 39, further comprising: 

7 storing at least one of string constants and source code text common to 

8 each macro vims family in the macro virus attributes for the macro virus 

9 definition data files; and 

10 comparing the suspect string to the at least one of the string constants and 

1 1 the source code text in the one or more macro vims definition data files for each 

12 macro virus family. 

1 42. (original): A method according to Claim 41, further comprising: 

2 applying a threshold to matches of at least one of commonly shared string 

3 constants and commonly shared source code text. 

1 43. (original): A method according to Claim 41, further comprising: 

2 designating a minimum length of commonly shared string constants. 

1 44. (original): A computer-readable storage medium holding code for 

2 perfonning the method according to Claims 39, 40, or 4 1 . 
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